Google: Security Keys Neutralized Employee Phishing

Discussion in 'privacy technology' started by mood, Jul 23, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    Google: Security Keys Neutralized Employee Phishing
    July 23, 2018
    https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,197
    That is impressive. But then, I presume that their physical security is also pretty tight.

    But let's say that mine isn't. How hard would it be to brute force the physical key?

    Also, I'm guessing that such physical keys are well-enough isolated from devices that malware can't compromise them. Right?
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,083
    Location:
    Member state of European Union
    You mean every 70k+ Google engineer around the world? Not, they aren't.
    Of course they use also role-based access control principle of least privilege.
     
    Last edited: Jul 24, 2018
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,188
    Location:
    Here
    Google announces its own security key for stronger logins
    https://www.theverge.com/2018/7/25/17613332/google-titan-security-key-login-2fa
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,218
    Nobody short of the NSA on steroids is even going to dream about breaking into a U2F element remotely. NO known way to even get close! I have never slept better at night. After transitioning to U2F exclusively for my most important "true name" accounts I have lost all concerns for Phising, MITM, etc..... Yubikeys (the industry leader for general population) cannot be manipulated at all. One of Yubi's strictest guidelines is that you can't EVER change the firmware even with their assistance. It comes from the "factory" with SET firmware and its not going to get changed.

    If you consider security as a pipe, remember it has two ends. Assuming the user keeps their end of the pipe secure, now the attacker still can consider trying to break in from the other end, which is the website server. If a site runs poor OPSec and the server end is breached it won't really matter if YOUR end is solid.
     
    Last edited: Jul 25, 2018
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    If we're talking the U2F key on its own (not the "normal" Yubikey which have richer functionality and can be reprogrammed), then the api is extremely simple and I suspect, extremely hard to attack remotely UNLESS there are undocumented features built in by the vendor and known to the attacker.

    Which leads to the usual conclusion: an open source firmware project with suitable open hardware support is the ticket, if you're not willing to trust Yubico.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,197
    OK, thanks :)

    But what if an adversary has the key? I get that at least some will nuke after too many failures. But what about physical hacking? Do they have the sorts of hardware protection that military-grade crypto modules use? Such as embedded wire grids?
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    My understanding of the physical security of the classic Yubikey is that it was nothing special, with no military grade crypto modules or self-destruct or anything. So, you'd have to assume that if physically owned, the root certificate/secret would become vulnerable (the U2F Yubikey generates certificates on the fly using the source url as part of the derivation which is why it doesn't need to generate certificates per site and store it every time).

    I'm personally less concerned about that because that's nation-state stuff and if they have your U2F key, they probably have you by other things you have.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,197
    Yeah, I guess. But I love to play with stuff :)
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,083
    Location:
    Member state of European Union
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    You can buy Google's $50 set of Titan security keys now
    Two keys to success... or at least better two-factor authentication.
    August 30, 2018

    https://www.cnet.com/news/you-can-buy-googles-50-set-of-security-keys-now/
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,218

    Hopefully they will quickly enable the NFC capabilities for better sales. I use NFC for Google Pay so its on already. My Yubi's work perfectly for NFC and U2F on my accounts. Not having NFC would be "game over" for me. I don't run with Bluetooth on. Others may differ, but I am who I am. I am curious if they have tried these against Android PIE, which I have running in full developer mode.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,188
    Location:
    Here
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    Google Titan Security Key review: An expensive, easy-to-use security key
    October 6, 2018
    https://mashable.com/review/google-titan-security-key/?europe=true&utm_cid=hp-h-1
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,188
    Location:
    Here
    Titan Security Key no longer available from the Google Store
    https://www.androidpolice.com/2019/...ey-no-longer-available-from-the-google-store/
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    I think the Titan stuff was always an interim solution, hopefully there will be adoption of Fido2 and Webauthn. If that works ok that is, and there's decent adoption levels which hasn't happened for 1st gen U2F (which only ever worked with Chrome).
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    Google Gives Free Security Keys to Activists, But Not if You’re in Iran or Syria
    April 26, 2019
    https://motherboard.vice.com/en_us/...keys-iran-syria-cuba-crimea-sudan-north-korea
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    89,849
    Location:
    Texas
    Google recalls its Bluetooth Titan Security Keys because of a security bug
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    MFA is No Cure for Phishing
    May 31, 2019
    https://www.ethicalhacker.net/columns/kron/mfa-is-no-cure-for-phishing/
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,188
    Location:
    Here
    Google Titan Security Key now available in Canada, France, Japan, and the UK
    https://www.androidpolice.com/2019/...-available-in-canada-france-japan-and-the-uk/
     
  21. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    As far as I can tell, the Titan USB key is still Fido 1 U2F standard, which means it isn't supported on Edge and Firefox, only Chrome. If this is the case, and there's no support for Fido2 Webauthn, that's not a very good deal.

    This only seems to make sense if you're tying yourself to Google accounts, Chrome and Android.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    Google is releasing a USB-C Titan security key
    Made in partnership with Yubico
    October 14, 2019

    https://www.theverge.com/2019/10/14...o-yubikey-nfc-bluetooth-fido-os-compatibility
    Google: USB-C Titan Security Keys - available tomorrow in the US
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    At least they're using Yubikey, so that means Fido2 Webauthn. And, perhaps they've given up on over-the-air connections (BT & NFC) since bugs always crawl out of the woodwork. It'll be interesting to see what the api is to the new dongle over usb-c, and what apps support that on the smartphones.

    Yubico also do a combined usb-c and lightning dongle which will probably be more suitable for ios users in the future (although I don't know the status of that project right now - it says, "emerging support for lightning connector").

    Not sure how I'd feel about having to physically connect over usb-c often, the connector mounts will need to be robust, and not all phones are in that category. I'm rather happier with the current nfc connection really.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,417
    Titan Security Keys - now available in Austria, Canada, France, Germany, Italy, Japan, Spain, Switzerland, and the UK
    February 18, 2020
    https://security.googleblog.com/2020/02/titan-security-keys-now-available-in.html
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,188
    Location:
    Here
    Google can add account security keys through Safari and mobile Chrome
    https://www.engadget.com/2020/03/07/google-enroll-security-keys-safari-android-chrome/
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.